Sub menu

Stories by Topic

Story by Date

Heartbleed tools an opportunity to talk security

Heartbleed, the OpenSSL vulnerability that leaves most of the Internet and supporting technology open to compromise, crossed over into the mainstream where even computing novices and neophytes are talking about their risk exposure. Security vendors are racing to put testing tools into the field, and those tools are creating opportunities for solution providers to talk with customers about their security posture and risk management.

First, a little about Heartbleed. Finland-based Codenomicon discovered the vulnerability that allows the compromise of OpenSSL, one of the core security protections of Web sites and networking systems. Essentially, the vulnerability allows hackers to steal virtually any piece of information in a given domain, including usernames, credentials and other identifying data. Click here for more detailed information about Heartbleed.

Security researchers believe up to two-thirds of Web sites on the Internet are vulnerable to the Heartbleed vulnerability, making it one of the most serious threats ever. There’s even evidence that the vulnerability affects numerous Cisco and Juniper networking devices, and may extend down to endpoints such as Android smartphones.

Already, hackers and organized crime groups are using Heartbleed to compromise Web sites and steal valuable information. Reports are surfacing that several high-profile cloud providers, including Amazon and Google, are open to compromise. And, other reports indicate that the National Security Agency has known about Heartbleed for years and used it for its spying activities.

Fixing the vulnerability isn’t trivial, but also isn’t easy. An updated version of OpenSSL has been released; applying the update to Web servers and affected software implementations will close the vulnerability. Affected users are also advised to change all passwords, since it’s unknown whether they’ve already been compromised. Fixing the vulnerability in devices requires a patch, and not all vendors have released updates for their particular implementations.

The pervasiveness and seriousness of the Heartbleed vulnerability pushed it quickly into the mainstream consciousness. News outlets have chattered about Heartbleed since its discovery last week, getting many businesses and individuals wondering about their risk exposure and the security reliability of the online services they use.

Almost immediately following the Heartbleed disclosure did system checking tools appear. These tools simply checks to see if a domain returns code injected to the OpenSSL vulnerability. If the test string is returned, it means there’s a high probability the site and/or domain is open to compromise.

Several security vendors have released tools to check for Heartbleed vulnerability. Among the first was written by Italian cryptologist Filippo Valsorda, simply called “Heartbleed Test.” Security vulnerability scanner vendor Qualys released its own “SSL Server Test,” which essentially performs the same checks. And, most recently, McAfee (soon to be Intel Security) released its own Heartbleed checking tool.

The beauty of each of these tools is they do not require access to a customer’s infrastructure or servers to perform the check. Solution providers can use any of these tools to look at their customers’ Web sites to see if they’re vulnerable to the OpenSSL vulnerability. From there, they can open a conversation about how the vulnerability should be addressed and implement a fix, which results in professional services engagements.

Moreover, the same testing tools can be applied to sales prospects. Solution providers can run Heartbleed checks against companies who are either slow to engage, inactive accounts or new leads. The discovery of Heartbleed vulnerability is a good door opener for taking about the need for security policies, updated security infrastructure and ongoing management and professional support.

Security professionals loathe the use of FUD – fear, uncertainty and doubt – as a means for selling the value of security technology and support. Leveraging the Heartbleed crisis isn’t a FUD situation; it’s an opportunity to talk about the true value of security in risk management, business continuity and, ultimately, creating a competitive advantage. The Heartbleed checkers released by McAfee, Qualys and others are as much lead generation utilities as they are security tools.